1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
#!/usr/bin/python -O
"""This file is responsible for permissions checking and
(optionally) enforcing.
"""
import glob
import re
import string
import os
import stat
import pwd
import grp
import sys
import logging
import getopt
# localization
import gettext
try:
cat = gettext.Catalog('msec')
_ = cat.gettext
except IOError:
_ = str
# config
import config
# version
try:
from version import version
except:
version = "development version"
# libmsec
from libmsec import Log, PERMS
# {{{ usage
def usage():
"""Prints help message"""
print """Msec: Mandriva Security Center (%s).
This applications verifies and (when required) enforces permissions
of certain files and directories.
The list of permissions is stored in %s.
Available parameters:
-h, --help displays this helpful message.
-l, --level <level> displays configuration for specified security
level.
-f, --force <level> force new level, overwriting user settings.
-e, --enforce <level> enforce permissions on all files.
-d enable debugging messages.
-p, --pretend only pretend to change the level, perform no real
actions. Use this to see what operations msec
will perform.
""" % (version, config.PERMCONF)
# }}}
if __name__ == "__main__":
# default options
log_level = logging.INFO
force_level = False
level = config.DEFAULT_LEVEL
commit = True
enforce = False
# parse command line
try:
opt, args = getopt.getopt(sys.argv[1:], 'hel:f:dp', ['help', 'enforce', 'list', 'force', 'debug', 'pretend'])
except getopt.error:
usage()
sys.exit(1)
for o in opt:
# help
if o[0] == '-h' or o[0] == '--help':
usage()
sys.exit(0)
# list
elif o[0] == '-l' or o[0] == '--list':
level = o[1]
log = Log(interactive=True, log_syslog=False, log_file=False)
permconf = config.load_default_perms(log, level)
params = permconf.list_options()
if not params:
print >>sys.stderr, _("Invalid security level '%s'.") % level
sys.exit(1)
for file in params:
user, group, perm, force = permconf.get(file)
if force:
print "!! forcing permissions on %s" % file
print "%s: %s.%s perm %s" % (file, user, group, perm)
sys.exit(0)
# force new level
elif o[0] == '-f' or o[0] == '--force':
level = o[1]
force_level = True
# debugging
elif o[0] == '-d' or o[0] == '--debug':
log_level = logging.DEBUG
# permission enforcing
elif o[0] == '-e' or o[0] == '--enforce':
enforce = True
# check-only mode
elif o[0] == '-p' or o[0] == '--pretend':
commit = False
# verifying use id
if os.geteuid() != 0:
print >>sys.stderr, _("Msec: Mandriva Security Center (%s)\n") % version
print >>sys.stderr, _("Error: This application must be executed by root!")
print >>sys.stderr, _("Run with --help to get help.")
sys.exit(1)
# configuring logging
interactive = sys.stdin.isatty()
if interactive:
# logs to file and to terminal
log = Log(log_path=config.SECURITYLOG, interactive=True, log_syslog=False, log_level=log_level)
else:
log = Log(log_path=config.SECURITYLOG, interactive=False, log_level=log_level)
# loading permissions
permconf = config.PermConfig(log, config=config.PERMCONF)
if not permconf.load() and not force_level:
log.error(_("Permissions configuration not found, please run '%s -f <level>' to initialize.") % sys.argv[0])
# forcing new level
if force_level:
# first load the default configuration for level
default_permconf = config.load_default_perms(log, level)
params = default_permconf.list_options()
if not params:
log.error(_("Default configuration for level '%s' not found, aborting.") % level)
sys.exit(1)
for opt in params:
permconf.set(opt, default_permconf.get(opt))
# load the main permission class
perm = PERMS(log)
# check permissions
changed_files = perm.check_perms(permconf)
# writing back changes
perm.commit(really_commit=commit, enforce=force_level)
# saving updated config
if force_level and commit:
if not permconf.save():
log.error(_("Unable to save config!"))
sys.exit(0)
|